stolon icon indicating copy to clipboard operation
stolon copied to clipboard

Published 20 hours ago verified publisher icon sorintlab

`check function error` when `enableServiceLinks` option set in k8s-1.14.3

Open icefed opened this issue 5 years ago • 9 comments

Submission type

  • Bug report

Environment

Kubernetes 1.14.3

Stolon version

v0.13.0-pg9.6

Additional environment information if useful to understand the bug

Add enableServiceLinks: false option to stolon-* PodSpec, Keeper and Proxy print error and can not work.

Expected behaviour you didn't see

Unexpected behaviour you saw

Stolon-Proxy error output

2019-06-26T08:00:26.228Z INFO cmd/proxy.go:302 check function error {"error": "failed to update proxyInfo: update failed: Pod "stolon-proxy-5f5f8cb9cd-82cmr" is invalid: spec: Forbidden: pod updates may not change fields other than spec.containers[*].image, spec.initContainers[*].image, spec.activeDeadlineSeconds or spec.tolerations (only additions to existing tolerations)\n{"Volumes":[{"Name":"default-token-hs6cs","HostPath":null,"EmptyDir":null,"GCEPersistentDisk":null,"AWSElasticBlockStore":null,"GitRepo":null,"Secret":{"SecretName":"default-token-hs6cs","Items":null,"DefaultMode":420,"Optional":null},"NFS":null,"ISCSI":null,"Glusterfs":null,"PersistentVolumeClaim":null,"RBD":null,"Quobyte":null,"FlexVolume":null,"Cinder":null,"CephFS":null,"Flocker":null,"DownwardAPI":null,"FC":null,"AzureFile":null,"ConfigMap":null,"VsphereVolume":null,"AzureDisk":null,"PhotonPersistentDisk":null,"Projected":null,"PortworxVolume":null,"ScaleIO":null,"StorageOS":null,"CSI":null}],"InitContainers":null,"Containers":[{"Name":"stolon-proxy","Image":"sorintlab/stolon:v0.13.0-pg9.6","Command":["/bin/bash","-ec","exec gosu stolon stolon-proxy\n"],"Args":null,"WorkingDir":"","Ports":[{"Name":"","HostPort":0,"ContainerPort":5432,"Protocol":"TCP","HostIP":""},{"Name":"","HostPort":0,"ContainerPort":8080,"Protocol":"TCP","HostIP":""}],"EnvFrom":null,"Env":[{"Name":"POD_NAME","Value":"","ValueFrom":{"FieldRef":{"APIVersion":"v1","FieldPath":"metadata.name"},"ResourceFieldRef":null,"ConfigMapKeyRef":null,"SecretKeyRef":null}},{"Name":"STPROXY_CLUSTER_NAME","Value":"","ValueFrom":{"FieldRef":{"APIVersion":"v1","FieldPath":"metadata.labels['stolon-cluster']"},"ResourceFieldRef":null,"ConfigMapKeyRef":null,"SecretKeyRef":null}},{"Name":"STPROXY_STORE_BACKEND","Value":"kubernetes","ValueFrom":null},{"Name":"STPROXY_KUBE_RESOURCE_KIND","Value":"configmap","ValueFrom":null},{"Name":"STPROXY_LISTEN_ADDRESS","Value":"0.0.0.0","ValueFrom":null},{"Name":"STPROXY_METRICS_LISTEN_ADDRESS","Value":"0.0.0.0:8080","ValueFrom":null},{"Name":"STPROXY_TCP_KEEPALIVE_IDLE","Value":"600","ValueFrom":null},{"Name":"STPROXY_TCP_KEEPALIVE_COUNT","Value":"8","ValueFrom":null},{"Name":"STPROXY_TCP_KEEPALIVE_INTERVAL","Value":"75","ValueFrom":null}],"Resources":{"Limits":null,"Requests":null},"VolumeMounts":[{"Name":"default-token-hs6cs","ReadOnly":true,"MountPath":"/var/run/secrets/kubernetes.io/serviceaccount","SubPath":"","MountPropagation":null,"SubPathExpr":""}],"VolumeDevices":null,"LivenessProbe":null,"ReadinessProbe":{"Exec":null,"HTTPGet":null,"TCPSocket":{"Port":5432,"Host":""},"InitialDelaySeconds":10,"TimeoutSeconds":5,"PeriodSeconds":10,"SuccessThreshold":1,"FailureThreshold":3},"Lifecycle":null,"TerminationMessagePath":"/dev/termination-log","TerminationMessagePolicy":"File","ImagePullPolicy":"IfNotPresent","SecurityContext":null,"Stdin":false,"StdinOnce":false,"TTY":false}],"RestartPolicy":"Always","TerminationGracePeriodSeconds":30,"ActiveDeadlineSeconds":null,"DNSPolicy":"ClusterFirst","NodeSelector":{"node-role.kubernetes.io/master":""},"ServiceAccountName":"default","AutomountServiceAccountToken":null,"NodeName":"n227","SecurityContext":{"HostNetwork":false,"HostPID":false,"HostIPC":false,"ShareProcessNamespace":null,"SELinuxOptions":null,"RunAsUser":null,"RunAsGroup":null,"RunAsNonRoot":null,"SupplementalGroups":null,"FSGroup":null,"Sysctls":null},"ImagePullSecrets":null,"Hostname":"","Subdomain":"","Affinity":null,"SchedulerName":"default-scheduler","Tolerations":[{"Key":"node.kubernetes.io/not-ready","Operator":"Exists","Value":"","Effect":"NoExecute","TolerationSeconds":300},{"Key":"node.kubernetes.io/unreachable","Operator":"Exists","Value":"","Effect":"NoExecute","TolerationSeconds":300}],"HostAliases":null,"PriorityClassName":"","Priority":0,"DNSConfig":null,"ReadinessGates":null,"RuntimeClassName":null,"EnableServiceLinks":\n\nA: true}\n\nB: false}\n\n"}

Steps to reproduce the problem

icefed avatar Jun 26 '19 08:06 icefed

Any update on this issue, we seem to have a similar / the same problem.

  • Running on kubernetes 1.13.11
  • Tested with stolon v0.11 and v0.14
  • Applies to all stolon components (proxy, keeper, sentinel)
2019-09-20T14:03:36.637Z        ERROR   cmd/sentinel.go:1857    cannot update sentinel info     {"error": "update failed: Pod \"stolon-sentinel-5d58cc4ffc-hr66w\" is invalid: spec: Forbidden: pod updates may not change fields other than ``spec.containers[*].image`,` `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)

On kubernetes 1.12.8 with stolon v0.11 we didn't see this error.

harmjanblok avatar Sep 20 '19 14:09 harmjanblok

@icefed I haven't tried with enableServiceLinks set to false. I'm not sure how this is related. Perhaps an issue in the k8s client version we are using.

@harmjanblok Are you too disabling enableServiceLinks?

sgotti avatar Sep 20 '19 16:09 sgotti

Remove enableServiceLinks then deploy stolon is fine, mybe we can update k8s client version and try again.

And enableServiceLinks added sine kubernetes 1.13 https://github.com/kubernetes/kubernetes/pull/68754

icefed avatar Sep 23 '19 06:09 icefed

No I don't specify anything for enableServiceLinks, pods have assigned the default (enableServiceLinks: true).

harmjanblok avatar Sep 23 '19 09:09 harmjanblok

In my setup it seems to fail because it want to set ProcMount: null, while it currently uses the default ProcMount: "Default" (ProcMount is inside the pod SecurityContext). I'm still working on a reproducable setup which I can share.

harmjanblok avatar Sep 23 '19 09:09 harmjanblok

ProcMount added to SecurityContext since kubernetes 1.12 https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md#new-features

icefed avatar Sep 23 '19 10:09 icefed

@harmjanblok If you haven't changed enableServiceLinks to false your issue is different than the one originally reported. Can you open a new issues with the steps to reproduce it (with the steps to reproduce it in a simple k8s environment like minikube)?

sgotti avatar Sep 23 '19 10:09 sgotti

@icefed thanks for the link, I'll investigate further, my issue seems to be caused by a bug introduced with this change: https://github.com/kubernetes/kubernetes/pull/78881 @sgotti yes it seems to be a different issue. Originally thought both might related to the used client-go libraries, hence I commented in this thread.

harmjanblok avatar Sep 23 '19 11:09 harmjanblok

In https://github.com/harmjanblok/stolon/commit/fbfaf9265535ee99d992509a6c806067888a0499 I've pushed the test setup I was using to reproduce the issue. I've been able to reproduce both issues (enableServiceLinks and procMount), although the procMount was caused by a kubernetes bug.

Steps to reproduce:

cd test-kubernetes
kind create cluster --config kind-config.yml
export KUBECONFIG="$(kind get kubeconfig-path --name="kind")"
kubectl apply -f k8s/
kubectl exec -it deploy/stolon-sentinel -- stolonctl init --cluster-name kube-stolon --store-backend kubernetes --kube-resource-kind configmap
kubectl logs deploy/stolon-sentinel -f
...
kind delete cluster

harmjanblok avatar Sep 24 '19 05:09 harmjanblok